The Workflow of Microsoft Copilot for Security

Large Language Models (LLMs): Large Language Models are a type of artificial intelligence model designed to understand, generate, and interpret natural language. These models are trained on vast amounts of textual data to enable them to answer questions, write text, and even understand context-specific queries.

User Prompts: In the context of generative AI, a user prompt refers to the input or question provided by the user to the AI model. For Microsoft Copilot for Security, user prompts might include requests such as summarizing security incidents, generating scripts, or assessing vulnerabilities.

Grounding: Grounding is a critical process in AI where the system enriches the user prompt with additional contextual information. For instance, when a prompt refers to a particular vulnerability or CVE ID, grounding ensures that the AI gathers relevant threat intelligence data before proceeding with the response.

Generative AI: Generative AI refers to a class of artificial intelligence models that generate new data based on the input it receives. This includes text generation, content creation, and interactive conversation. Microsoft Copilot for Security leverages generative AI to produce insights, summaries, and automated responses based on the security data it analyzes.

User Interface (UI): Users interact with Copilot for Security through either the dedicated portal at securitycopilot.microsoft.com or via embedded experiences within Microsoft security solutions like Microsoft Defender, Intune, Entra, and Purview. This user interface allows security professionals to submit prompts, review results, and configure settings.

Plugins: Plugins play a vital role in connecting Copilot to various Microsoft security products (e.g., Microsoft Defender, Sentinel) and third-party solutions (e.g., ServiceNow, Splunk). These plugins help Copilot pre-process prompts and post-process responses, ensuring seamless integration with existing security infrastructures.

Large Language Models (LLMs): Microsoft Copilot for Security leverages LLMs such as GPT-4 to process complex prompts, generate insights, and provide human-like responses. The LLMs analyze the input, derive patterns, and produce actionable recommendations based on the context.

Responsible AI Services: Responsible AI services are employed to check and validate AI responses, ensuring they meet ethical and compliance standards. This component is crucial for maintaining data integrity and ensuring that outputs are safe and reliable.

Azure OpenAI Service: Azure OpenAI Service acts as the underlying infrastructure that hosts and deploys the AI models. It provides the computational power and scalability needed to process large amounts of data and generate responses at machine speed.

Initiation: The process begins when a user submits a prompt to Copilot for Security through the UI. For instance, a security analyst might ask, "What are the top security incidents from the past month?"

Pre-processing: Upon receiving the prompt, Copilot for Security selects the appropriate plugin based on the query. For example, if the query involves recent security incidents, Copilot might engage Microsoft Defender Threat Intelligence to fetch relevant data.

Grounding: The grounding process involves refining the initial prompt to make it more context-aware. This might include referencing organizational data, threat intelligence feeds, or external databases. For example, if a vulnerability ID is mentioned in the prompt, Copilot will pull information about that specific vulnerability to enhance the response.

Large Language Model Processing: Once the prompt is grounded, it is sent to the LLM for processing. The LLM generates a response based on the grounded prompt, leveraging its training to produce a detailed, human-readable output.

Post-processing: The LLM response is then sent back to Copilot for post-processing, where plugins may be called again to format the response or add additional data. For example, if the response involves executing a script or command, Copilot ensures that it is formatted correctly and can be executed within the appropriate security context.

Responsible AI Checks: Before the response is delivered to the user, it undergoes a series of responsible AI checks to ensure it complies with organizational policies and ethical standards. This step is vital for preventing harmful or non-compliant outputs.

Response Delivery: The final response is presented to the user through the Copilot interface. If necessary, the user can request additional details, refine the prompt, or trigger automated actions based on the response.

Logging and Review: Every interaction is logged and can be reviewed later for auditing purposes. Users can see the sequence of plugins used, the grounding context applied, and the LLM's response generation process.